Active Directory Federation Services has come into its own, thanks to Microsoft's endless push to the cloud, in which ADFS has taken on a central role in federating identities between on-premises servers and cloud services. In Windows Server 2012 R2, ADFS plays a central role in establishing key capabilities.
You can install Active Directory Federation Services right onto a domain controller in Windows Server 2012 R2, something that was previously forbidden. Now you can put the ADFS role onto a domain controller without having to install Internet Information Services, Microsoft's Web server. However, this isn't something you'd want deployed on a sensitive authentication source because it increases the machine's attack surface.
ADFS improvements create more scenarios
Active Directory Federation Services was significantly expanded to become the engine that creates new scenarios in Windows Server 2012 R2.
Workplace Join. Workplace Join is what I like to call a lighter version of Domain Join. Workplace Join is used on personal devices and allows the corporate IT department to establish a trusted connection between the device, the user and the enterprise resource. For instance, a user with a trusted device can access Work Folders. The device could also access specific internal applications that don't necessarily need to be used on campus, but should be used only wherever authorized employees are.
Improved single sign-on with extended reach. Once users and devices are joined to the workplace, ADFS in Windows Server 2012 R2 sits in the middle and reuses authentication tokens so users signing into one resource don't have to reenter their credentials in signing into another corporate resource. This includes resources the organization trusts via federation, including authentication through the use of a cloud-based directory. Organizations can connect to applications running in Office 365, Windows Azure and any third-party provider that supports the Security Assertion Markup Language, or SAML.
Web Application Proxy. The Web Application Proxy is a new feature that can work in conjunction with ADFS. The Web Application Proxy is the piece that makes Workplace Join work as it fills the role of a reverse HTTP proxy. It publishes Web applications and secure features such as Workplace Join. It also wraps up the authentication data a user provides, and does the heavy lifting of exposing the user to those applications on the untrusted wilds of the Internet. While the Web Application Proxy feature is part of the new Remote Access role in Windows Server 2012 R2, users hitting the proxy depend on the expanded functionality of ADFS working in conjunction with this feature to securely access corporate apps and resources.
Required resources to run Active Directory Federation Services
There usually is a requirement to upgrade your forest functional level or domain functional level with Active Directory improvements. Such an upgrade is problematic for organizations deploying older versions of Windows Server. To access the latest in ADFS goodness, you only need to upgrade the server running ADFS to Windows Server 2012 R2 and perform a modest schema upgrade to add support for storing device objects and associated attributes. The Web Application Proxy role also must be on a server running Windows Server 2012 R2.
Windows RT, Windows 8.1, iPhones and iPads are ready to go now with the new ADFS for Workplace Join. Android support is forthcoming.
About the author:
Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include RADIUS, Hardening Windows, Using Microsoft Windows Small Business Server 2003 and Learning Windows Server 2003. Jonathan also speaks worldwide on topics ranging from networking and security to Windows administration. He is president of 82 Ventures LLC, based in North Carolina, and is currently an editor for Apress Media LLC, a publishing company that specializes in books for programmers and IT professionals.